Senx
asked on
Account Lockout Audit
Hi
I have a user that keep locking out in active directory
i used with the microsoft tools but no helpuel.
i configured audit policy via gpo in the domain controller level policy as follow:
Audit account logon events: Success,Failure
Audit Account manament Success,Failure
Audit Directory Service Access Sucess
Audit Logon events Success,Failure
Audit object Access Success,Failure
Audit policy change Sucess
Audit Previlege use No auditing
Audit Process Tracking No auditing
Audit System Events Sucess
But again
When im trying to lock my username i cant find the audit that says account locked out
i have 3 domain controllers.
thanks
I have a user that keep locking out in active directory
i used with the microsoft tools but no helpuel.
i configured audit policy via gpo in the domain controller level policy as follow:
Audit account logon events: Success,Failure
Audit Account manament Success,Failure
Audit Directory Service Access Sucess
Audit Logon events Success,Failure
Audit object Access Success,Failure
Audit policy change Sucess
Audit Previlege use No auditing
Audit Process Tracking No auditing
Audit System Events Sucess
But again
When im trying to lock my username i cant find the audit that says account locked out
i have 3 domain controllers.
thanks
ASKER
Hi
thanks fot your answer
i figure out with altools what machine locked me out
but i checked for sevices and schedualed tasks if there anything that ran on my account but non of them used my account
there is any ideas what can lock my account.?
thanks fot your answer
i figure out with altools what machine locked me out
but i checked for sevices and schedualed tasks if there anything that ran on my account but non of them used my account
there is any ideas what can lock my account.?
Failed attempts to access resources using outdated credentials is the only thing.
When you say, "i figure out with altools what machine locked me out" do you mean you found the system from which the failed requests were being made or are you talking about the DC that actually locked the account?
The DC is not the cause for the lockout it is a consequence of failed authentication attempts that were received by it.
You need to determine the system from which your username with the wrong password were being used and why. Is that system a terminal server? Does your last password change correspond to when your account began to be locked out? Do you have a laptop that is always on (hibernate) that you take with you and then connect into the LAN where you still use your old password to unlock/login into the laptop? If so, this is the source of your issue.
When you say, "i figure out with altools what machine locked me out" do you mean you found the system from which the failed requests were being made or are you talking about the DC that actually locked the account?
The DC is not the cause for the lockout it is a consequence of failed authentication attempts that were received by it.
You need to determine the system from which your username with the wrong password were being used and why. Is that system a terminal server? Does your last password change correspond to when your account began to be locked out? Do you have a laptop that is always on (hibernate) that you take with you and then connect into the LAN where you still use your old password to unlock/login into the laptop? If so, this is the source of your issue.
ASKER
Hi
Thank you for your answer
yes i mean i found the system from which the failed requests being made .
the system is not a terminal server
xp sp3
not a laptop
Thank you for your answer
yes i mean i found the system from which the failed requests being made .
the system is not a terminal server
xp sp3
not a laptop
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
and.
You should see a security event on combination of DC's that locks the user out because of credential mismatch.
I.e. the user changed password, but is resuming a remote session that continuously runs in a terminal server.
The user has shared resources mapped with the old password control keymgr.dll.
The tool will let you locate the source from which this user's credentials are being submitted.